--- name: hermes-feishu-multi-bot-profiles description: Create or migrate Hermes Feishu/Lark bot profiles safely, with target-machine preflight, central Codex auth, Feishu credential isolation, and gateway stability boundaries. version: 2.0.0 author: Hermes Agent license: MIT metadata: hermes: tags: [hermes, feishu, lark, profiles, gateway, launchd, openai-codex, macos] related_skills: [hermes-agent] --- # Hermes Feishu Multi-Bot Profiles Use when creating, moving, renaming, or repairing Hermes Feishu/Lark bot profiles. ## Critical rules 1. Ask which computer the bot/profile should be installed on before creating anything. Do not default to current machine or bot1. 2. Preflight the target machine live: hostname/IP, macOS, CPU, RAM, disk, load, memory pressure, running Hermes gateways/profiles/LaunchAgents, and role overlap with existing bots. 3. If the target is tight, crowded, overloaded, low on disk/memory, or an existing bot can do the work, refuse/postpone and suggest reuse, another machine, cleanup/migration, or upgrade. 4. Never copy `FEISHU_*` / `LARK_*` credentials between independent profiles. Each Feishu bot needs its own app credentials from `gateway setup`, except during an explicit cutover where the source gateway has been stopped. 5. On bot1, OpenAI Codex / ChatGPT OAuth auth is central: `/Users/bot1/.hermes/shared-auth/openai-codex-auth.json`. Profile `auth.json` files should symlink to it. Never print or copy token contents. 6. Do not restart gateways, change LaunchAgents, write credentials, or alter running profile services unless the user explicitly approves the exact target and scope. 7. Bot/profile mapping is not stored in this Skill. Read the local source of truth for the machine: `/Users/bot1/Documents/knowledge-base/runbooks/hermes-ops/FEISHU_PROFILE_BOT_MAPPING.json` on bot1. NAS only links to local mapping files. ## Target-machine preflight commands ```bash hostname sw_vers sysctl -n machdep.cpu.brand_string 2>/dev/null || sysctl -n hw.model sysctl -n hw.memsize vm_stat df -h / uptime ps -axo pid,pcpu,rss,etime,command | grep -E '[h]ermes.*gateway|[p]ython.*gateway' || true launchctl list | grep -E 'ai\.hermes\.gateway' || true hermes profile list ``` For another Mac, run equivalent checks over SSH using the known alias. Do not make changes during preflight. ## New profile default on bot1 ```bash p= hermes profile create "$p" hermes -p "$p" config set model.provider openai-codex hermes -p "$p" config set model.default gpt-5.5 hermes -p "$p" config set model.base_url https://chatgpt.com/backend-api/codex hermes -p "$p" config set agent.reasoning_effort high central=/Users/bot1/.hermes/shared-auth/openai-codex-auth.json profile_home=/Users/bot1/.hermes/profiles/$p [ -e "$profile_home/auth.json" ] && mv "$profile_home/auth.json" "$profile_home/auth.json.backup.$(date +%Y%m%d_%H%M%S)" ln -s "$central" "$profile_home/auth.json" hermes -p "$p" auth status openai-codex ``` Write only non-Feishu shared env keys if needed. Do not copy `FEISHU_APP_SECRET`, verification token, encrypt key, or pairing state into a new independent bot. ## Feishu setup for a new independent bot Run one profile at a time: ```bash env -u FEISHU_APP_ID -u FEISHU_APP_SECRET -u FEISHU_APP_VERIFICATION_TOKEN -u FEISHU_APP_ENCRYPT_KEY -u LARK_APP_ID -u LARK_APP_SECRET hermes -p gateway setup ``` Choose Feishu/Lark, create a new bot by QR/launcher, wait for the user to authorize, then install/start only that profile's gateway if approved. ## Verification - `hermes -p auth status openai-codex` - `hermes -p gateway status` - Verify Feishu identity by `/open-apis/bot/v3/info` using the profile `.env`, without printing secrets. - Update the machine-local mapping JSON after identity is verified. ## Mapping rule On bot1, update only: ```text /Users/bot1/Documents/knowledge-base/runbooks/hermes-ops/FEISHU_PROFILE_BOT_MAPPING.json ``` Do not duplicate the full table in Skills or NAS docs. Skills should reference this file.